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REMARKS 

The non-final Office Action, mailed January 25, 2006, considered and rejected claims 1- 
25. Claims 1-6, 8-13, 15-23, and 26 were rejected under 35 U.S.C. 103(a) as being unpatentable 
over CERT CC, "Cert Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web 
Requests" (CERT I) in view of CERT CC. "Underetanding Malicious Content Mitigation for 
Web Developer" (CERT II). Claims 7, 14. and 24 were rejected under 35 U.S.C. 103(a) as being 
unpatentable over the combination of CERT-Advisoty and CERT in view of Fischman et al. 
(U.S. Patent Pub!. No. 2003/0097588).' 

The Office Action also objected to Figures 1 and 2 of the present application, and 
requested conected drawings designating such figures as "Prior Art." Applicants respectfijlly 
traverse. In particular. Figures 1 and 2 illustrate exemplary features and environments 
corresponding to the present invention. For example. Figure 1 illustrates a block diagram of a 
network environment in which an electronic message may be used in facilitating a cross- 
scripting attack of a "HeUo" HTML page rctiuned from a server to a user computer. The 
displayed user computer and server can also be construed to include the inventive modules and 
computer-executable instructions described throughout the ^plication (although they are not 
explicitly referenced in Figure 1). Nevertheless, one of skill in the ait would recognize their 
presence in view of the disclosure of the application. Tn addition, Figure 2 is specifically 
provided as an illustration of the "present invention", as recited in the disclosure of the 
specification. Nowhere is Figure 1 shown to be or relied upon as prior art. Accordingly, it is 
rcspectfiiUy requested that the objections to the drawings be withdrawn. 

By this paper, claims 1, 7, 8 and 18 have been amended, while no claims have been 
added or cancelled.^ Following this paper claims 1-25 remain pending, of which claims 1, 8 and 
18 are the only independent claims at issue. 

Applicants' claimed invention is directed to systems, methods and computer program 
products in which a server mitigates cross-scripting attacks which would otherwise present non- 
server data in the context of server data. As recited in claim 8, for example, an HTTP request is 

' Althouah the prior art status of the tiled art is not being challenged at tiii$ time, Applicants reserve the right to chullcnEC the 
prior ttrt status of the cited ait at any oppropriutc time, should it arise. Acconlingiy, any arRumenif; and amendments nii«lc herein 
snouiti not be eonsmied as acquiescing to any prior an status of the cited oit. 

L^„"rioll!]li[rrIt!!.*i!*T 'h-wifihout riM! specification, including, bet not limned lo. the disclosuie found 

in originaJJy filed paragraphs [0007J and [0025J. 
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received by a server computer and includes input data that was not generated by the server 
computer. The HTTP request is then evaluated to determine if the input data includes a script 
construct indicating that the HTTP request is part of a cross-site scripting attack. If a script 
construct is found, the server refiises to execute the HTTP request, thereby preventing the cross- 
site scripting attack. In addition, a response is generated that indicates a script constract 
representing a cross-site scripting attack has been received, and resubmission of the HTTP 
request is requested. Inasmuch as each incoming HTTP request may be evaluated, the 
resubmitted HTTP request is then executed only upon determining that it docs not contain the 
script construct. 

Claims 1 and 18 arc directed to a method and conqjuter program product, respectively, 
and generally correspond to the method of claim 8. 

While the cited CERT 1 and CERT 11 references generally relate to preventing the 
insertion of malicious scripts in an HTTP request, they fail to disclose or suggest the present 
invention. For example, among other things, CERT I and CERT n fiiil to disclose or suggest 
generating a response indicating that a script construct has been received and requesting 
resubmission of the HTTP request, as recited in combination with the other recited elements. 

hi fact, CERT I and CERT II also fail to disclose executing the HTTP request submitted 
to the server. In particular, CERT I generally discusses the problem associated with malicious 
code inserted in cross-site scripting attacks, (p. 1-2). CERT I fijrthcr notes that usen> may take 
precautions to solve this problem (e.g., by disabling scripting or selectively visiting web sites). 
(P- 4, H 4, 5). In addition, CERT I cursorily notes that web site developers can prevent abuse of 
the site by allowing only a limited character set and by encoding and filtering data. (p. 5, 4- 
6). For the details on encoding and filtering, however, CERT I defers to the CERT II document. 

CERT U provides five steps to mitigate the vulnerability of presenting data as originating 
from that server, even if it does not In particular, CERT 11 describes these steps as: (i) expUcitly 
setting the available character set; (ii) identifying special characters; (iii) encoding dynamic 
output elements; (iv) filtering specific characters in dynamic elements; and (v) examining 
cookies, (p. 2, ^ 3). CERT II specifically identifies a variety of characters (i.e., special 
characters) which have an effect on how a page is displayed (e.g., greater-than and Icss-lhan 
signs, ampersand, double quotation marks, space, lab, new line, percent, semicolon. non-ASCH 
characters, curly braces, exclamation point, etc.). (p. 3). By understanding which special 
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Characters affect a web page, at the time data is output (or input), the web page is filtered to 
detect these special characters, (p. 4, 3, 4). Upon detection of these special charactei^, the 
system removes the special characters in the HTTP request. (See pp. 5, 6, C++, Javascript, and 
Perl examples). 

Accordingly, CERT I and CERT n disclose that when an HTTP request is received, the 
character set should be limited and special characters should be removed. In this manner, the 
HTTP request can be executed without giving any significance to the now^removed special 
characters. In contrast, however, to CERT I and CERT U which process the HTTP request 
(albeit without the special characters), AppUcants specifically recite refiising to execute the 
HTTP request so as to prevent the scripting attack and requesting that the request be resubmitted. 
In other words, CERT I and CERT II prevent the scripting attack by processing the page without 
the special characters, while the claimed invention refiises to execute ttie HTTP request until it is 
resubmitted. 

In addition. CERT I and CERT H also fail to disclose or suggest generating a response 
indicating that a script construct indicative of a cross-site scripting attack has been received and 
requesting resubmission of the HTTP request which is subsequently executed if it does not 
contain the script construct, as claimed in combination with the other recited elements. Id fact, 
inasmuch as CERT I and CERT II appear to disclose filtering portions of the request and then 
executing the HTTP request after it is received. Applicants respectfully submit that it would be 
irrational to request resubmission of the HTTP request for subsequent execution. 

As will be appreciated, requesting that a user resubmitted an HTTP request and notifying 
the user that the HTTP request includes an unauthorized script can provide significant benefits to 
the user not provided by the disclosure in the CERT T and CERT 11 references. For example, 
where the user, after selecting the link, is notified that the link is an attack, the user will alerted 
that the link was provided by an attacker rather than by an authorized source. As a result of this 
knowledge, the user can better detect links with such script constructs in the future, and avoid 
emails or web pages fiom the attacka-. avoid executing links provided by the attacker, block the 
specific attacker, or act in a variety of other ways to protect against attacks. While removing 
special characters may work to prevent the attack, it does not necessarily provide the potential 
benefit of educating the user as to the nature and existence of the attack. 
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In view of the foregoing. Applicant respectfully submits that the other rejections to the 
claims are now moot and do not, therefore, need to be addressed individually at this time. It will 
be appreciated, however, that this should not be construed as Applicant acquiescing to any of the 
puiported teachings or assertions made in the last action regarding the cited art or the pending 
application, including any official notice. Instead, Applicant reserves the right to challenge any 
of the purported teachings or assertions made in the last action at any appropriate time in the 
future, should it arise. Furthennore, to the extent that the Examiner has relied on any Official 
Notice, explicitly or implicitly. Applicant specifically requests that the Examiner provide 
references supporting the teachings officially noticed, as well as the required motivation or 
suggestion to combine references with the other art of record. 

For at least the foregoing reasons. Applicants respectfliUy submit that the pending claims 
are neither anticipated by nor made obvious by tlie art of record. In the event that the Examiner 
finds and remainmg impediment to a prompt allowance of this plication that may be clarified 
through a telephone interview, the Examiner is requested to contact the imdersigned attorney. 



Dated this 25 day of April, 2006. 

Respectfully submitted, 

RICKD, NYDEGGER 
Registration No. 28,651 
JENS C. JENKINS 
Registration No. 44,803 
Attorneys for Applicant 
Customer No. 047973 
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